Security Event Management (SEM) and Security Information Management (SIM) systems are typically enterprise-level servers configured to collect, aggregate, and correlate security event data from multiple security event sources. In a standard SEM/SIM system, user's client computers are configured to transmit reports, logs, and other security-related data to the SEM/SIM server periodically. The SEM/SIM server aggregates and correlates the security data received from the client computers and other enterprise devices and sources, such as network routers, firewalls, and services, to generate a report of security events. Typically, the SEM/SIM servers are passive and do not automatically respond to the security events. Rather, security personnel may review the report of security events and take appropriate action.
Historically, the security perimeter of an enterprise correlated to the physical perimeter of that enterprise (i.e., the building in which the enterprise was located) because the majority of computing devices were stationary. However, as computing devices become ever more mobile, the enterprise security perimeter is expanding or, in some cases, vanishing entirely. As such, centrally located security systems, such as traditional SEM/SIM servers, struggle to maintain security over the enterprise as a whole and, particularly, over the large number of mobile computing devices.